ruleset: Add the Errno helper

This helper is useful for FFI to easily translate a Landlock error into
an errno value.

Extend check_ruleset_support() with errno translation tests.

Add the unsupported_handled_access_errno() test.

Signed-off-by: Mickaël Salaün <mic@digikod.net>

Author: l0kod

src/errors.rs

@@ -209,3 +209,89 @@ pub(crate) enum TestRulesetError {
     #[error(transparent)]
     File(#[from] std::io::Error),
 }
+
+/// Get the underlying errno value.
+///
+/// This helper is useful for FFI to easily translate a Landlock error into an
+/// errno value.
+#[derive(Debug, PartialEq, Eq)]
+pub struct Errno(libc::c_int);
+
+impl Errno {
+    pub fn new(value: libc::c_int) -> Self {
+        Self(value)
+    }
+}
+
+impl<T> From<T> for Errno
+where
+    T: std::error::Error,
+{
+    fn from(error: T) -> Self {
+        let default = libc::EINVAL;
+        if let Some(e) = error.source() {
+            if let Some(e) = e.downcast_ref::<std::io::Error>() {
+                return Errno(e.raw_os_error().unwrap_or(default));
+            }
+        }
+        Errno(default)
+    }
+}
+
+impl AsRef<libc::c_int> for Errno {
+    fn as_ref(&self) -> &libc::c_int {
+        &self.0
+    }
+}
+
+#[cfg(test)]
+fn _test_ruleset_errno(expected_errno: libc::c_int) {
+    use std::io::Error;
+
+    let handle_access_err = RulesetError::HandleAccesses(HandleAccessesError::Fs(
+        HandleAccessError::Compat(CompatError::Access(AccessError::Empty)),
+    ));
+    assert_eq!(Errno::from(handle_access_err).0, libc::EINVAL);
+
+    let create_ruleset_err = RulesetError::CreateRuleset(CreateRulesetError::CreateRulesetCall {
+        source: Error::from_raw_os_error(expected_errno),
+    });
+    assert_eq!(Errno::from(create_ruleset_err).0, expected_errno);
+
+    let add_rules_fs_err = RulesetError::AddRules(AddRulesError::Fs(AddRuleError::AddRuleCall {
+        source: Error::from_raw_os_error(expected_errno),
+    }));
+    assert_eq!(Errno::from(add_rules_fs_err).0, expected_errno);
+
+    let add_rules_net_err = RulesetError::AddRules(AddRulesError::Net(AddRuleError::AddRuleCall {
+        source: Error::from_raw_os_error(expected_errno),
+    }));
+    assert_eq!(Errno::from(add_rules_net_err).0, expected_errno);
+
+    let add_rules_other_err =
+        RulesetError::AddRules(AddRulesError::Fs(AddRuleError::UnhandledAccess {
+            access: AccessFs::Execute.into(),
+            incompatible: BitFlags::<AccessFs>::EMPTY,
+        }));
+    assert_eq!(Errno::from(add_rules_other_err).0, libc::EINVAL);
+
+    let restrict_self_err = RulesetError::RestrictSelf(RestrictSelfError::RestrictSelfCall {
+        source: Error::from_raw_os_error(expected_errno),
+    });
+    assert_eq!(Errno::from(restrict_self_err).0, expected_errno);
+
+    let set_no_new_privs_err = RulesetError::RestrictSelf(RestrictSelfError::SetNoNewPrivsCall {
+        source: Error::from_raw_os_error(expected_errno),
+    });
+    assert_eq!(Errno::from(set_no_new_privs_err).0, expected_errno);
+
+    let create_ruleset_missing_err =
+        RulesetError::CreateRuleset(CreateRulesetError::MissingHandledAccess);
+    assert_eq!(Errno::from(create_ruleset_missing_err).0, libc::EINVAL);
+}
+
+#[test]
+fn test_ruleset_errno() {
+    _test_ruleset_errno(libc::EACCES);
+    _test_ruleset_errno(libc::EIO);
+}

src/lib.rs

@@ -83,8 +83,9 @@ pub use access::Access;
 pub use compat::{CompatLevel, Compatible, ABI};
 pub use enumflags2::{make_bitflags, BitFlags};
 pub use errors::{
-    AccessError, AddRuleError, AddRulesError, CompatError, CreateRulesetError, HandleAccessError,
-    HandleAccessesError, PathBeneathError, PathFdError, RestrictSelfError, RulesetError,
+    AccessError, AddRuleError, AddRulesError, CompatError, CreateRulesetError, Errno,
+    HandleAccessError, HandleAccessesError, PathBeneathError, PathFdError, RestrictSelfError,
+    RulesetError,
 };
 pub use fs::{path_beneath_rules, AccessFs, PathBeneath, PathFd};
 pub use net::{AccessNet, NetPort};
@@ -168,13 +169,18 @@ mod tests {
                 let errno = get_errno_from_landlock_status();
                 println!("Expecting error {errno:?}");
                 match ret {
-                    Err(TestRulesetError::Ruleset(RulesetError::CreateRuleset(
-                        CreateRulesetError::CreateRulesetCall { source },
-                    ))) => match (source.raw_os_error(), errno) {
-                        (Some(e1), Some(e2)) => assert_eq!(e1, e2),
-                        (Some(e1), None) => assert!(matches!(e1, libc::EINVAL | libc::E2BIG)),
-                        _ => unreachable!(),
-                    },
+                    Err(
+                        ref error @ TestRulesetError::Ruleset(RulesetError::CreateRuleset(
+                            CreateRulesetError::CreateRulesetCall { ref source },
+                        )),
+                    ) => {
+                        assert_eq!(source.raw_os_error(), Some(*Errno::from(error).as_ref()));
+                        match (source.raw_os_error(), errno) {
+                            (Some(e1), Some(e2)) => assert_eq!(e1, e2),
+                            (Some(e1), None) => assert!(matches!(e1, libc::EINVAL | libc::E2BIG)),
+                            _ => unreachable!(),
+                        }
+                    }
                     _ => unreachable!(),
                 }
             }

src/ruleset.rs

@@ -1024,3 +1024,15 @@ fn unsupported_handled_access() {
         )))
     );
 }
+
+#[test]
+fn unsupported_handled_access_errno() {
+    assert_eq!(
+        Errno::from(
+            Ruleset::from(ABI::V3)
+                .handle_access(AccessNet::from_all(ABI::V3))
+                .unwrap_err()
+        ),
+        Errno::new(libc::EINVAL)
+    );
+}